Re: Tracking down anonymous user

Mat Benwell <mjbenny1 <at> gmail.com>
2007-01-01 03:31:56 GMT

Hi Mike,
Obviously it can be legitimate for there to be a shared user account
passwords, in particular service accounts, but they should not be
allowed the right to log on to the local machine as a user (logon as a
service, yes). If they need to log on to the machine then you would
want to be able to audit their actions so they should use individual
accounts
As it is an internal email there is no need for any message transfer
between systems so this would be why there is little info in the
headers. There will be no reference to SMTP as exchange will not use
it unless it is sending outside the local exchange environment (it can
use smtp to transfer between sites in the an organization) and by
default the exchange client will not use smtp either.
I would assume that the email was sent from the mailbox that was
created when the user account was created. In which case, I agree with
intel96, the only way you will be able to track it down is through
audit log's to see which workstation the account logged on to or
possibly through message tracking if you happened to have it turned on
before the message was sent.
Even with this info it will be difficult to prove beyond doubt who
sent the email
Cheers
Mat
intel96 wrote:
My 2 cents:

login sheets

Murda Mcloud <murdamcloud <at> bigpond.com>
2007-01-02 05:14:49 GMT

Just wondering how people deal with giving new users their initial login
details. Our users often have to know logins for four different systems in
their first week and I wanted to give them a sheet with these details on
them. Obviously each system will ask for a passphrase change when first
logging in.
Also, the sheet would have something along the lines of 'How to choose a
strong passphrase that does not contain your cat's name or your favourire
football team but is easy to remeber'.

Re: RE: Tracking down anonymous user

<christopherkelley <at> hotmail.com>
2007-01-02 15:57:13 GMT

I think that everyone here is missing the fact that if this is an internal user in an exchange environment
(unless you have a weird setup), the message should never reach the SMTP engine, so looking in the SMTP logs
will be fruitless (provided it _is_ an internal user). The same goes for tying to view the message header
information. Exchange handles internal email differently, especially in a single-server
environment, so if there is a header, chances are it will be meaningless.
Also, because it is a separate user account, looking in sent items/outboxes will also be a waste of time.
So... The first thing that I would do is to change the password on this account and evaluate the need for its
existence. If it is just a shared email address that is needed, that is possible to set up without having a
domain user account (and exchange will log access to the inbox in case it happens again). Create the
mailbox in exchange and give each person the necessary permissions to the inbox. The exchange server will
wonderfully log by username all access to this mailbox, in the event that something like this happens again.
If the account exists to share access to resources, consider giving the people access to those resources
without having another account to blur the audit trail.
As far as finding out who did it, I'm not really sure. The beauty of having individual accounts really shines
here. Audit trails and individual accountability are key. But, you may want to look in the audit logs of
your domain controllers for logons and logoffs about the time the message was sent. It's been a while since
I have looked at Domain Controller Audit logs, but you may be able to see the workstation that the person was
using to login, which may tell you who did it.
Be very careful how you approach the next step, because if you don't cross your Ts and dot your Is, your legal
recourse will be thrown away (I'm going to assume that you/your company will want to fire/punish this
person). If you don't conduct your investigation properly, any evidence that you may collect may not be
usable against this person. Depending on how far you and your company wish to take this, I'd recommend
hiring a computer forensic specialist to conduct the investigation (that is, unless, of course, you have
the necessary tools and skills on hand to do a proper job).

Securing eRIC express

Thomas D. <whistl0r <at> googlemail.com>
2007-01-02 17:29:12 GMT

Hello List,
we are going to use some "eRIC express" cards, to administrate some remote
servers.
These cards are reachable through the internet, 24h/7d.
The handbook tells us, that we will have to use a username/password for
authentication.
I am note sure how secure this will be. Is there anything we can do to
protect these cards?
Thanks,
Thomas

RE: Tracking down anonymous user

Hello,
I wonder if the reason logging isn't showing the OP anything is that
Outlook wasn't used?
Given that Exchange is an open relay on the inside, these could be
command line generated messages.
Just telnet to your Exchange server on port 25 and away you go...
Kind Regards,
Scott Ramsdell
-----Original Message-----
From: listbounce <at> securityfocus.com [mailto:listbounce <at> securityfocus.com]
On Behalf Of Christopher Carnelian
Sent: Friday, December 29, 2006 11:25 AM
To: security-basics <at> securityfocus.com
Subject: RE: Tracking down anonymous user
I am also having this issue this morning. There appears to be no header
information as the email was sent internally. We have not turned on
message tracking in exchange, but now it appears we might. I was able to
reply to an email and place someone else's name in the from field as a
test and it worked. The email looked like it is being sent from the
individual and upon going in to view>options, there is no header
information. Any help would be appreciated.
J Carnelian

Re: Tracking down anonymous user

killy <killfactory <at> gmail.com>
2007-01-02 18:55:21 GMT

if this is still a Covert operation on your part and the emails are
still being sent, try a packet logger on the exchange server.
Something as simple as Wireshark could work.
If you can manage to span the port for the exchange server, you could
use one of the many linux security distros and and sniff some
intersting traffic including SMTP.
my $0.02
On 26 Dec 2006 21:07:08 -0000, mikef <at> everfast.com <mikef <at> everfast.com> wrote:
> I'm trying to track down an internal user who is sending email under a different user account to hide
his/her identity.
> Scenario:
> I have a domain user account that about 15 people know the password to. Someone logged on using this account
and sent a message to a manager and because of the content of the message I'm 100% certain that it's an
internal user; not someone spoofing. As a matter of fact it's definitely someone in the IT department.
> Is there a way to track down what computer (IP address) was used to send the messages?
> The incident occurred a couple of days ago so I'm hoping I can still track down the user. I'm using exchange
server 2003.
>
> I've check the exchange log files, SMTP files from my SQL servers, and checked the recipient header (there
was no header info), but I'm not getting anywhere. If I can't get them this time what can I do to catch them the
next time.
>
>
--
--
If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.

Re: Re: Tracking down anonymous user

<mikef <at> everfas.com>
2007-01-02 19:13:58 GMT

Unfortunately tracking wasn't enabled nor was some of the other logging techniques mentioned. I have
since enable tracking and logging with a more security focused plan. I've also used this incident to get
the CIO to allow me implement a password policy to eliminate sharing and logging on with service accounts.
thanks for all the helpful advice

RE: PGP encrypted email - basic questions

While we are on the subject, could someone reply to this message and
sign it with smime? I need to test something. Thanks.
Mike
-----Original Message-----
From: listbounce <at> securityfocus.com [mailto:listbounce <at> securityfocus.com]
On Behalf Of Thomas D.
Sent: Saturday, December 30, 2006 7:03 AM
To: security-basics <at> securityfocus.com
Subject: RE: PGP encrypted email - basic questions
Dave asked on Friday, December 29, 2006 4:01 PM:
> I understand that a recipient of a PGP signed/encrypted message will
> have to get my public key to decrypt said message.
Your recipient needs your public key to check the signature, but only
with your public key he/she isn't able to decrypt the encrypted message,
because in the moment you send that mail, you have to decide who should
be able to read this mail, because you will only encrypt this message
with those public keys (don't forget your own key, if you want to be
able to read this mail in your "send messages" folder).
> What I don't
> understand is how this is carried out in a seemingly automatic fashion
> for many of the email messages I receive, e.g. postings from mailing
> lists, in which I see the 'BEGIN PGP SIGNED.. ' and the signature at
> the end.
You can sign every mail, you are sending. This can be done automatically